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(57) Abstract 

A computer-implemented intrusion detection system and method (1) that monitors a computer system in real-rime for activity 
indicative of attempted or actual access by unauthorized persons or computers. The system detects unauthorized users (20) attempting to 
enter into a computer system by comparing user behavior to a user profile (22), detects events that indicate an unauthorized entry into the 
computer system (90), notifies a control (37, 97) function about the unauthorized users and events that indicate unauthorized entry into 
the computer system and has a control function (125) that automatically takes action in response to the event (127). The user profiles 
are dynamically constructed for each computer user when the computer user first attempts to log into the computer system (24) and upon 
subsequent logins (25), the user's profile is dynamically updated (25). By comparing user behavior to the dynamically built user profile 
(3-5), false alarms are reduced. The system also includes a log auditing function (10, a port scan detector (75) and a session monitor 
function (90). 
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INTRUSION DETECTION SYSTEM 
TECHNICAL FIELD OF THE INVENTION 
The present invention relates generally to intrusion detection for a computer 
system. More particularly, the invention is a computer-implemented intrusion detection 
system and method that monitors a computer system for activity indicative of attempted or 
actual access by unauthorized persons or computers. 

BACKGROUND 

Because of the increasing reliance on Internet, Intranet and extranet network 
computer access, intrusion into computer systems by unauthorized users is a growing 
problem. An intrusion is unauthorized access or attempted access into or unauthorized 
activity in a computer or information system. Intrusion detection technologies are therefore 
becoming extremely important to improve the overall security of computer systems. 
Intrusion detection is the process of identifying that an intrusion has been attempted, is 
occurring or has occurred. 

In most intrusion detection systems, data may be automatically collected and 
reduced but the analysis of that data usually remains manual. Profiling and pattern 
recognition techniques also have been used to analyze the data collected and presented to 
an intrusion detection system. The off-line analysis involves determining normal behavior 
for a user, application or system. The normal behavior is then used to develop sets of 
rules. Significant deviations from the rules, referred to as anomalous behavior, may then be 
flagged as potential intrusions. Some intrusion detection systems, based on anomaly 
detection techniques, look for statistically anomalous behavior, that is, behavior that 
appears unusual when compared to other user behavior. One drawback of anomaly 
detection systems is that they are prone to both false positive and false negative alerts 
because the rules are general in nature and not specific for the behavior of each user. 
False positives occur when the intrusion detection system identifies an event as an 
intrusion when none has occurred. False positives may divert the attention and time of the 
system administrator and security staff and if frequent enough, may cause a lack of 
confidence in the intrusion detection system. False negatives are instances where the 
intrusion detection system fails to detect an intrusion while it is occurring or after it has 
occurred. The result may be slow or no response to the intrusion that can result in financial 
loss and system damage. False negatives often occur because the models used to profile 
the anomalous behavior do not adequately predict the intruder behavior and its result 
within the computer system. 
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combine the above listed capabilities with real-time monitoring of log audit files, port scan 
detection capability and session monitoring. 

The present invention is a computer implemented method for detecting intruders in 
a computer system. The method comprising the steps of detecting an unauthorized user 
5 attempting to enter into a computer system by comparing actions of the user to a 

dynamically built profile for the user, and if the action is out of range of the user profile, 
notifying a control function. If events are detected that indicate an unauthorized entry into 
the computer system has occurred by comparing and if an event occurs that indicates 
unauthorized entry, a control function is notified, and automatically executes a specific 
10 action in response to the event. 

The dynamically built user profile comprises dynamically constructing a user profile 
for each computer user when the computer user first attempts to log into the computer 
system, dynamically updating the user profile for the user for each attempt by the user to 
log into the system after the first attempt, and updating the user profile when the user logs 
1 5 out of the computer system. 

Dynamically monitoring computer system log files comprises monitoring for events 
that indicate an unauthorized attempted entry into the computer system. Dynamically 
monitoring system log files comprises comparing the system log files to events to ignore 
and ignoring the event if the system log file indicates a match with the event to ignore and 
20 comparing the system log files to events known to indicate an unauthorized entry into the 
computer system and notifying a control function about the unauthorized entry and 
automatically executing a specific action in response to the event by the control function. 

The method further comprises dynamically monitoring user actions after the user 
has logged into a computer system for unauthorized access by the user to system 
25 information, and if unauthorized access occurs, notifying a control function about the 

unauthorized access and automatically executing a specific action in response to the event 
by the control function. The method dynamically monitors user actions after the user has 
logged into a computer system for corruption of system information by the user and if 
corruption of system information occurs, a control function is notified and automatically 
30 executes a specific action in response by the control function. 

The method further comprises scanning network ports to determine if a user has 
connected to more than a selected number of network ports. If the user has exceeded the 
selected number of network ports, the control function is notified and automatically 
executes a specific action in response to the. The selected number of network ports may 
35 be set by the system administrator. 
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the unauthorized users and events. The action is selected from the group consisting of 
logging the information in a local controller, sending the information to a network controller, 
disabling the unauthorized user's account, 

blocking access to the computer system for the user, notifying a system administrator and 
5 ignoring the unauthorized user and unauthorized entry. The action taken may be defined 
by the system administrator prior to initialization of the intrusion detection system. 

The control function may be located in a local computer where the unauthorized 
user and unauthorized entry occurred. The control function in the local computer sends 
information about unauthorized users and events to a central computer connected to the 
10 local computer. Alternatively, the control function may be located in a central computer 

connected to the local computer. Multiple local computers may be connected to the central 
computer. 

The central computer comprises performing centralized analysis of unauthorized 
users and events, performing correlation of unauthorized users and events from the 

15 multiple local computers, alerting a central computer system administrator, and sending the 
analysis and correlation results to the multiple local computers. 

The method further comprises, for each user, continuously monitoring user activity 
for a threat to the computer system. Continuously monitoring comprises analyzing user 
command entries and comparing the entries to known threat events and known attack 

20 patterns indicating a computer intrusion and if a match occurs, notifying the control function 
and allowing the control function to take user specified action in response. Continuously 
monitoring the system process accounting records comprises comparing the entries to 
known threat events and known attack patterns indicating a computer intrusion and if a 
match occurs, notifying the control function and allowing the control function to take user 

25 specified action in response. 

The method further comprises continuously monitoring commands entered by the 
user and comparing the commands to known threat events and known attack patterns 
indicating a computer intrusion and if a match occurs, notifying the control function and 
allowing the control function to take user specified action in response. The method further 

30 comprises continuously monitoring network port activity and comparing the activity to 
known threat events and known attack patterns indicating a computer intrusion and if a 
match occurs, notifying the control function and allowing the control function to take user 
specified action in response. The action taken may be selected from the group consisting 
of logging the event, removing the user from the computer system and executing a 

35 selected command. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

baoomaT? "T" fea ' UreS ' 3SPeCtS ^ adVanta9eS * * he P—t "enfion wi,l 
beooma batter understood with regard ,o the folding description, appended Cairns and 
accompanying drawin g s where: oeo claims and 

system F' 9 ' , shows a functional btod, diagram of the host baaed intrusion defection 

Fig. 2 is a block diagram of the log file auditing function. 

Fig. 3 la a flow diagram of the login anomaly detection function 

Figs^SA and 5B are flow diagrams of are logout anomaly detection function 
Fig. 6 is a flow diagram of the port scan detector function. 
Fig 7 is a flow digram of the session monitor function. 
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Fig. 8 is a flow diagram of the controller function. 

Fig. 9 is a block diagram of an alternate embodiment of a host based intrusion 
detection system having a central system controller. 

Fig. 10 is a flow diagram of program setup for the intrusion detection systems. 
DETAILED DESCRIPTION OF THE DRAWINGS 

Fig. 1 shows a functional block diagram of the intrusion detection system. The 
system is comprised of a log audit function 2, a login anomaly detection function 3, a logout 
anomaly detection 7, a session monitor function 4 and a port scan detector function 5 
interfacing with a local controller function 6. The log audit function 2, login anomaly 
detection function 3, logout anomaly detection function 7, session monitoring function 4 
and port scan detector function 5 all operate in real-time to detect activity indicative of an 
attack by unauthorized users or systems. The log audit function continuously monitors 
system log files for anomalous activity which can include known suspicious activity and 
unknown system anomalies. When anomalous behavior occurs, the log audit function 2 
notifies the controller 6 and sends information about the activity to the controller 6 for 
further processing. The log auditing function 2 is described in Fig. 2. The login anomaly 
detection function 3 monitors system login activity and when anomalous behavior is 
detected, notifies the controller and sends information about the activity to the controller 6 
for further processing. The login anomaly detection function 3 is described in Fig. 3. The 
logout anomaly detection function 7 monitors system logout activity and if anomalous 
behavior is detected, notifies the controller and sends information about the activity to the 
controller 6 for further processing. The logout anomaly detection function 7 is described in 
Figs. 5A and 5B. The session monitoring function 4 watches user activity after a login has 
been established. The function continuously watches keystrokes for known attack 
signatures and suspicious activity. Signatures are kept in a user-editable database on the 
local machine. Once suspicious or known attack activity is detected, the session monitor 4 
will send information about the activity to the controller 6 for further processing. The 
session monitoring function 4 is described in Fig. 7. The port scan detector function 5 
monitors Internet ports (such as TCP and UDP) for port scanning activity which is a method 
used by attackers to determine the vulnerabilities of a target host and to run a series of 
attacks to gain entry on the vulnerable target host. When the port scan detection function 5 
detects port scanning activity, it sends information about the activity to the controller for 
further processing. The port scan detector function 5 is described in Fig. 6 ; The controller 
function 6 controls all actions that the host-based intrusion detection system may perform 
upon being notified from the log audit function 2, the login anomaly detection function 3, the 
logout anomaly detection function 7, the session monitor 4 or the port scan detector 
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function 5 that an anomalous activity has occurred, the controller takes an appropriate 
acton based on that activity. The controller function is described in Fig. 8. 

Turning now to Fig. 2, a block diagram of the log file auditing function is shown 
The log auditing function 10 monitors the system login auditing files 1 1 by comparing the 
log file activity known attack events 12, known security violations 13, and events to ignore 
14. If the log file activity indicates a known attack event 12 or a known security violation 13 
mdicating a suspicious event or unknown event has occurred or is in the process of 
occurring, then the log auditing function 10 constructs a message containing the log file 
information and signature identification information and forwards it to the controller for 
action. The log auditing function can run on a periodic basis with the period selected by 
the user or it can run continuously in real-fime. The user has.the flexibility to add or remove 
functions within the login anomaly detection to customize the system. 

Turning now to Fig. 3, a flow diagram cf the login anomaly detection function 20 is 
shown. The system monitors login and logout audit files and logs (records) all .ogins and 
logouts for the target host 21 . The target host is the computer that the user is logging into 
or loggmg out of. The system login auditing files may be login records (such as wtmp and 
utmp records) for a Unix® based operating system or may be event logs for a Windows 
NT® operating system. The system checks to determine if the user should be ignored 38 
Certain users are not checked for login or logout anomalies. If the user is to be ignored 
processing continues at step 35 where the user is logged into the system. If the user is not 
to be .gnored and if the user is logging in to the system, the monitor builds/updates the 
user profile database 22 and updates the active user database as shown in Fig. 4 The 
system administrator has the flexibility to add or remove functions within the logout 
anomaly detection to customize the system. 

Turning now to Fig. 4, a flow diagram is shown of the user profile database and 
active user database update function. If the user is not in the user profile database 23, then 
the user is a new user and process first login function is executed 24. A new user profile 
entry is created 24 which contains the user name, the login host, the login terminal 
(sometimes called the TTY), the time of creating the initial user profile, the time of the 
user's first login, the set days and hours the user is allowed login access, the version of the 
database record type and sets the initial number of logins to one. In addition, the system 
administrator notified whenever a user logs into a host for the first time. If the user is 
already in the user profile database 23, then a user profile entry already exists for this user 
and that profile is updated 25. The updates to the user profile include appending the login 
time, login host and incrementing the total number of logins. The system also checks to 
determine that the user's login account is still valid, that is that it has not been disabled by 
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a system administrator. An entry is created in the active user database 36 which contains 
the user's name, the terminal the user is logged in on, the time of login for this entry and 
the version of the database record. 

Turning back to Fig. 3, the next step is to check to determine if the login is from a 
foreign domain 26. A foreign domain is one that is not contained within or allowed access 
to the host where the login is attempted. The list of allowed domains within the system is 
accessed 27 and if the login domain is not listed, it is considered foreign and the control 
function is notified 37. 

The user login is checked to determine if there are multiple concurrent logins for the 
same user 28 A multiple concurrent login means that a user is logged into the system more 
than once from one or more different hosts concurrently. This type of behavior may indicate 
an intrusion. The log file is checked to determine if a user is logged in from one or more 
different hosts concurrently. If so and the user is not allowed to have multiple logins 29, 
then this login entry is denied and the multiple users are logged off from the system 30. 

The next step is to determine if the user is logged in at an unusual time 31. For 
each user, a profile is automatically built of the days, times and length of time that the user 
has logged in. Once a certain threshold number of user logins have occurred for this user 
to allow for accurate user profiling (usually approximately ten logins, but this can be 
adjusted by the user), the day and time of the current user's attempted login is compared to 
that profile. If the current login time differs from the user's login profile, the control function 
is notified 37. 

The next step is to compare the login activity with known attack patterns 34. If the 
login activity is similar to a known attack pattern, then the control function is notified 37. 
Next the history file is checked for suspicious command entries 39. 

If these steps are successfully completed, the user is logged in 35 and the user's 
profile database entry is updated and the active user database is updated to track the login 
state of the user. 

Turning now to Figs. 5A and 5B, a flow diagram of the logout anomaly detection 
function is shown. When a user attempts to logout, the logout anomaly detector 49 goes 
through a series of steps to process the logout to determine if something has occurred 
during the user's login time that may indicate a system anomaly. The logout entry for the 
user is updated in the user profile and the active user database is updated 50. If the user is 
to be ignored 65, then no other checking is done and the user is successfully logged out 
70. The next step is to determine if the user's file history has been compromised 51. If the 
history file no longer exists 52, the history file has been truncated 53 or the history file is a 
symbolic link 54, the event is logged and information about the event is sent to the 
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controller 55. The system examines the most « and o,her system sulcata files to 
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Tumrng now to Fig. 6, a flow diagram of me port scan detector is shown Port 
scanning is a method used by aftacflera ,o determine the vulnerable of a target host 
Once vulnerable* are found, a series ofaftacxs are usually run to gain enfly. Port 

zz?rr of *• Tcp/,p m whi ° h is °° mm ~ of 

^Interne,., allows machines to communicate mreughout the wortd In a reiiable manner 

alii ^ ^ UM °' Pr0 ' 0001 °" rem ° le a " d °« ■>*«. '0 

eatabHah connacflons between hosts. The ports avaitebia on a host are usuafly be,ween 

fine ranges of , to 65535. * ports , to ,024 being wha, is commonly referred ,o as 

reserved for use by crilloa, Interna, services. Each port tha, presents a sovice ,o a 

remote user is usually registered wfth ,ha interne, Assigned Numbam Authority regiafiy 

ted *■' ^ kn ° W Wha ' ^ '° avoid or speciflcaily 

connec, ,o depending on fire services being requested. Examples of commonly used ports 



21 - File Transfer Protocol (FTP) services. 
25 - Simple Mail Transfer Protocol (SMTP) services. 
80 - HTTP services (WWW servers) 



Whan „ attacker , |00feg fora new ho$t (o pene(rate ^ ^ 
fnfarne, progrems ,ha, have Known exploitebte pmbiems. These programs <oa,L 
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"daemons") vary in number and degree of susceptibility to problems. As new problems are 
found the hacker community quickly makes use of them to penetrate more hosts. To 
facilitate looking for new victims, the attacker will use a program that may either: connect to 
all ports on the remote machine or deliberately pick one or more ports to search for a 
particular problem. Some of the ports may not answer, in which case the attacker moves 
on. Other ports will answer and the attacker can then glimpse at what problems they can 
take advantage of. Often attackers will go from host to host on the Internet looking for the 
same problem to exploit. An example port scan of a host may return the following 
information: 



localhost 


telnet 


23/tcp 

>> 


localhost 


smtp 


25/tcp 


localhost 


finger 


79/tep 


localhost 


http 


80/tcp 


localhost 
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110/tcp 


localhost 
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The port scan detector of the present invention alerts administrators that a person is 
actively looking for services on their host in a manner that indicates a hostile action. In the 
above port scan example our detector could present "fake" ports that an attacker will likely 
scan for. This could change the above port scan into the following: 
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23/tcp (Fake port) 


localhost 
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http 
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localhost 
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So even though in our example system there are only ports 25 and 80 active, the other 
ports will be tripwired by the port scan detector waiting for an attacker to unwittingly try to 
connect to them. When this occurs, the administrator or program can then take action to 
prevent this activity. In Figure 6, a flowchart of the port scan detector function 75 is shown. 
Internet ports (such as TCP and UCP) are monitored 76. If the port is in a list indicating 
that the port is not to be monitored 77, processing ends and no action is taken 78. If the 
port is in a list indicating it is to be monitored 77, the next step is to determine if the port is 
being used locally 79. If the port is being used locally it is temporarily removed from the 
monitored list until it is no longer used locally 80. If the port is not being used locally, the 
port is placed in the list of ports to be monitored 81. If the terminal or host computer where 
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may be part of a network that contains multiple host computers (1 through N) 151-153. 
Each host 151-153 comprises a local controller that sends information about log auditing, 
login anomaly detection, logout anomaly detection, session monitoring and port scan 
detector functions to the central controller. The central controller can perform centralized 
auditing of events 154, data analysis 155, cross correlation of intrusion activity throughout 
the network 156 and can alert the network system administrator 157 if anomalous activity if 
found. In addition, the central controller 150 can send information about anomalous activity 
found within the system back to the multiple hosts 1 51-1 53 so as to alert the hosts. 

Fig. 10 is a flow diagram of a program set up for the intrusion detection system. 
Prior to initialization of the intrusion detection system, the system administrator 161 may 
select program functions to run in the intrusion detection system. For example, the system 
administrator may select the log auditing function 162, login anomaly detection 163, logout 
anomaly detection 164, session monitor 165 and port scan detector 166. The system 
administrator may also select the actions to be taken by the control function if an 
unauthorized user or event occurs 167. If the system administrator chooses not to select 
functions, the preprogrammed default functions will run. If the system administrator 
chooses not to select the actions to be taken by the control function or only changes some 
of the actions, the preprogrammed default actions will used. The system administrator may 
also alter the alarm thresholds or use preprogrammed alarm thresholds 168. The system 
administrator may select whether a warning is to be displayed on the system administrators 
graphical user interface 169. The system administrator may also select whether a local or 
central controller will be used for reporting and for taking action 170. 

Fig. 1 1 is a block diagram of the software modules of the Login Anomaly Detector. 
The Login Anomaly Detector 3 comprises a login audit module 180, first login warning 
module 181, a foreign domain warning module 182, a multiple concurrent logins module 
183 and an odd login time module 184. 

The login audit module 180 logs all user logins into the target host computer. This 
information is recorded in the system audit records and the intrusion detection system also 
records this information. The login audit module 180 provides secondary audit trail of user 
activity in case the system audit files are damaged or altered. 

The first login warning module 181 notifies the control function and or 
administrators whenever a user logs into a host for the first time. After the first login the 
module will no longer activate. The first login warning module 1 81 detects a first time login 
by noting whether the user has more than one login in the dynamic user database. It is 
used to spot users who are not authorized to connect to the computer system. 
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Fig. 12 is a block diagram of the software modules of the Logout Anomaly Detector. 
The Logout Anomaly Detector 7 comprises a logout audit module 190, suspicious entries in 
user's home directory 191, generic file exists module 192, history file truncated/altered 
module 193, suspicious directory name module 14, altered/missing audit record module 
195, network process active module 196, suspicious history file commands module 197, 
and rhost file exists module 1 98. 

The logout audit module 190 logs all user logouts from the target host computer. 
This information is recorded in the system audit records and the intrusion detection system 
also records this information. The logout audit module 190 provides secondary audit trail of 
user activity in case the system audit files are damaged or altered. 

The suspicious entries in user's home directory module 191 checks the for a 
".rhost" file in the user's home directory with a dangerous entry. Dangerous entries include 
wildcard characters. If a wildcard character is found, the suspicious entries in user's home 
directory module 1 91 alerts the administrator that a dangerous .rhost file exists. Dangerous 
entries indicate suspicious activity for most users and may allow the host system to be 
easily compromised by remote attackers. 

The generic file exists module 192 module checks an administrator-generated list of 
files to see if one or more of them exist in the user's home directory. This module allows an 
administrator to flag certain files for monitoring (password files, etc.) and generate custom 
alerts. A file list is used to parse against the user's directory listing. If a matching file name 
is found the event if flagged and the control function and or system administrator alerted. 

The history file truncated/altered module 193 module checks a user's command 
history file for alterations or truncations. Hackers often alter the history file to conceal 
activity on a host. The module checks to determine if the history file is truncated to zero 
bytes long, is missing or deleted and if the history file is a "symbolic link" to another file or 
device. If the history file indicates that any of these conditions have occurred, this may that 
unauthorized activity is being hidden on many attacked hosts. When an altered history file 
is found it is reported to central controller and system the administrator may be notified. 

The suspicious directory name module 194 detects suspicious directory names. 
Hackers will often employ odd directory names in order to hide activity on a host. This 
module searches for common directory name hiding tactics. For example, this module will 
check a user's home directory for odd directory names such as: ".. ", etc. and notify 
the control function and report them to the administrator if one is found. The directory 
names that can be searched for are configurable by the administrator. 

The altered/missing audit record module 195 checks to determine if an entry for the 
user's session is missing from the systems audit records (such as utmp, wtmp, event logs 
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monitor program to alert the controller and system administrator or disable the user 
account. 

The .rhost file exists module 198 checks for the existence of a ".most" file in the 
user's home directory. The .rhost files contains a list of hosts that are trusted by the system 
when a login is detected originating from them. If a user is originating form a host that is 
listed in the .rhost file, then they are allowed access to the system as long as their account 
name matches the owner of the .rhost file. If an entry such as "++" is placed in the .rhost 
file, it signifies a wildcard and any host can log into the system as the owner of the rhost 
file. A wildcard entry is always suspicious and is virtually always a dangerous modification. 
If an .rhost file exists in the user's directory, and is greater than zero bytes, then the 
controller is notified and the system administrator may be alerted. 

Although the present invention has been described in detail with reference to 
certain preferred embodiments, other embodiments are possible. Therefore, the spirit and 
scope of the appended claims should not be limited to the description of the preferred 
embodiments herein. 
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What is claimed is: PCr/usoo/06313 

1 • A computer implemented method for detecting intruders in a computer system ( 1 ) the 
method comprising the steps of: 

a. detecting an unauthorized user attempting to enter into a computer system (20) by 
comparing actions of the user to a dynamically built profile for the user (22) and if 
the acton is out of range of the user profile, notifying a control function (37)' 

b. detecting events that indicate an unauthorized entry into the computer system (49 
75, 90) has occurred and if an event occurs that indicates unauthorized entry 
notifying a control function (55, 85, 97); and 

c executing an action (127) by the control function (125) 
2. The method of claim 1 wherein the dynamically built user profile comprises- 

a. dynamically constructing a user profile (22) for each computer user when the 
computer user first attempts to log into the computer system (24 36)- 

b. d J a ^ 

into the system after the first attempt (25, 36); and 

c. U P datin 9 th ^serprofilewhentheuser,ogsoutofthecomputer S ystem(50) 
T Hnu 0d ^ daim 1 ^ ^ ~r system log 
sylm 6VentS ^ " UnaUth ° riZed attemPted ^ int ° *• 

4. The method of claim 3 wherein the dynamically monitoring system log fi.es comprises- 
a- comparing the system log files to events to ignore and ignoring the event if the 

system log file indicates a match with an event to ignore (14)- and 

b. comparing the system log fiies to events known to indicate an unauthorized entry 
event ,nto the computer system (12) and notifying a control function about the 
unauthorized entry event; 

c. executing the action in response to the event by the control function (17) 

5. The method of claim 1 further comprising: 

a. dynamically monitoring user actions after the user has logged into a computer 
system for unauthorized access by the user to system information (92), and if 
unauthorized access event occurs, notifying a control function (97) about the 
unauthorized access and automatically executing a specific action in response to 
the event by the control function (127); and 

b- dynamically monitoring user actions after the user has logged into a computer 
system for corruption of system information by the user (56, 59) and if a corruption 
of system information occurs, notifying a control function of the corruption of system 
mformaton and executing the action in response by the control function (127) 
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1 6. The method of claim 1 further comprising: 

2 a. scanning network ports (76) to determine if a user has connected to more than a 
■ 3 selected number of network ports (83); 

4 b. if the user has exceeded the selected number of network ports (83), notifying the 

5 control function and executing an action in response by the control function (85). 

1 7. The method of claim 6 wherein the selected number of network ports is set by the 

2 system administrator (161). 

1 8. The method of claim 1 wherein the detecting events (49, 75, 90) that indicate an 

2 unauthorized entry into the computer system comprises: 

3 a. detecting anomalous events when a user logs out of the computer system (49) 

4 comprising: 

5 i. monitoring a user's file history to determine if the user's file history has been altered 

6 (51); 

7 ii. monitoring computer system files to determine if a modification has been made that 

8 indicates an unauthorized intrusion into the computer system (56); 

9 iii. monitoring a user's computer files to determine if a modification has been made 

10 that indicates an unauthorized intrusion into the computer system (59); 

1 1 iv. determining if a program has been left running that should have stopped running 

12 when the user logs out of the computer system (63); and 

13 b. if an anomalous event has been detected: 

14 i. notifying the control function about the anomalous event (55); and 

15 ii. allowing the control function to take action in response to the anomalous event 

16 (127). 

1 9. The method of claim 1 wherein the detecting unauthorized users (20) comprises: 

2 a. if the user has attempted to log in from a computer host that is not allowed access 

3 to the computer system, notifying the control function about the attempted login 

4 (26); and 

5 b. allowing the control function to take action in response (37). 

1 10. The method of claim 1 wherein the detecting unauthorized users (20) comprises: 

2 a. if the user attempts to log into the computer system and has an active login (28), 

3 checking to determine if the user is allowed to have more than one login active 

4 simultaneously (29), and if not notifying a control function about the attempted login 

5 (37); and 

6 b. executing an action by the control function (1 27). 

1 11. The method of claim 2 wherein the dynamically constructed user profile for each 

2 computer user (22) is selected from the group consisting of storing user name, login 
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3 M h. of creation of inftta. user pro*, time of user's M iogin. time history of 

5 umb T m T B "** ,ha ' *" " * *" d * 103 '* » e -d total 

5 number of logins for the computer user (24) 

1 12. ^method of claim , 1 wherein «. user pa* is stored in a user profile database 
1 13. The method of Cairn , 1 wherein dynamically updating the user pmfiie fc me user (22, 

Z t r U88f ^ ' rom ** 9r0UP ~ 9 * * —* login 

tme icn terminal, updaang a lime history of a users login and increment «he ,<T 
4 number of logins (24, 25). y 

1 14. The method of claim 1 1 whenain Ibe delecting unearned** users (20) comphsaa if the 

4 T ° 0mPUter SyS ' em ' ^ 3 »«*- (37, about the 

4 » to9 i„anda,«„g th econ t ro,fu^„ to , 9keactainresp ns ^ 
15. The method of claim 1 further comprising: 

a. dynamically coasting a lis, of acave users togged into the computer system ,36,; 

4 b. *"-^upda«,„ g( he,is t ofac t vauae,awhena U sar 1 cgsin,o.heays,emand 

5 logs out of the system (50). 

2 sTlTlT" 1 15 Wh6rein - ' iSt ° f aCt,Ve ^ (36) C ~ 

2 selected from the group consisting of user name, user termina. and time of user login 

1 17. The method of olaim 1 wherein the control function (125) comprises- 
' a. storing information about unauthorized users and events that indicate an 
unauthorized entry into the computer system (126)- 
b. taking action in response to the unauthorized users and events, the action is 
selected from the group consisting of: 

6 i- logging the information in a local controller (128); 

7 ii. sending the information to a network controller (139); 

8 iii. disabling the unauthorized user's account (130); 

9 iv. blocking access to the computer system forthe user (131); 

10 v. notifying a system administrator (135); and 

1 1 vi. ignoring the unauthorized user and unauthorized entry (136) 

2 P~a, 0f T t 17 ;^ ^ 3Cti0n ^ ^ ^ by ~ator 
poor to rn.balizat.on of the intrusion detection system (161) 

1 19. The method of claim 1 wherein the control function (125) is located in a local computer 
(137) where the unauthorized user and unauthorized entry occurred 
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1 20. The method of claim 19 further comprising the control function (125) in the local 

2 computer sends information about unauthorized users and anomalous events to a 

3 central computer (139) connected to the local computer (137). 

1 21 . The method of claim 1 wherein the control function (125) is located in a central 

2 computer ( 1 39) connected to the local computer ( 1 37). 

1 22. The method according to claim 21 further comprising multiple local computers (151- 

2 1 53) connected to the central computer ( 1 50). 

1 23. The method of claim 21 wherein the control function (125) in the central computer (1 50) 

2 comprises: 

3 a. performing centralized analysis of unauthorized users and events (154, 155); 

4 b. performing correlation of unauthorized users and events from the multiple local 

5 computers (156); 

6 c. alerting a central computer system administrator (157); and 

7 d. sending the analysis and correlation results to the multiple local computers (151- 

8 153). 

1 24. The method of claim 1 further comprising: 

2 a. for each user, continuously monitoring user activity for a threat to the computer 

3 system (90); and 

4 b. the continuously monitoring comprises analyzing user command entries (92) and 

5 comparing the entries to known threat events and known attack patterns (95) 

6 indicating a computer intrusion and if a match occurs (96), notifying the control 

7 function (97) and allowing the control function to take action in response (127). 

1 25. The method of claim 24 further comprising continuously monitoring the system process 

2 accounting records (93) and comparing the entries to known threat events and known 

3 attack patterns (95) indicating a computer intrusion and if a match occurs (96), notifying 

4 the control function (97) and allowing the control function to take action in response 

5 (127). 

1 26. The method of claim 24 further comprising continuously monitoring commands (94) 

2 entered by the user and comparing the commands to known threat events and known 

3 attack patterns (95) indicating a computer intrusion and if a match occurs (96), notifying 

4 the control function (97) and allowing the control function to take action in response 

5 (127). 

1 27. The method of claim 1 further comprising continuously monitoring network port activity 

2 (76) and comparing the activity to known threat events and known attack patterns 

3 indicating a computer intrusion (83, 84) and if a match occurs, notifying the control 

4 function (85) and allowing the control function to take action in response (1 27). 
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28. Tfie method of cttm 22 wherein the act™ teken „ ^ ftom ^ 

S eV H (128 ' ,29> ' dteab " n9 3 access ,o J 

Item m H 8 de ' ined 032) ' dr ° Ppins a raute '° - —** 
?" ' 331 draPP ' n9 3 re * ,0 an —""B — (133). baking access from an 
ofrend.ng system (134), notfying a system administrator (135) and ignoring ^ ^ 

29. The methods in any of o,a lms 1 . «. 8, 9, 14, 17, 24-27 wherein ,he action comprises 
a user specified action (167). compnses 

30. The method of claim US ar specified action is entered by a system 
administrator (161 ). 

31. The method as in any of claims 1, 4-6, 8, 9, 14, 17, 24-27 wherein the action is 
automatically executed by the control function (127) 

32. Computer executable software code stored on a computer readable medium 
-ncorporating the method as recited in any of claims 1 through 31 
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